New York’s Official Alert System Sends Accidental Spam, Raising Cybersecurity Concerns

On Monday, subscribers to New York state’s official text alert system received an unexpected message claiming to be from “B of A” about a declined transaction of $732.42, asking recipients to confirm by calling a phone number or replying “YES.” This concerning incident prompted state officials to issue a follow-up warning on Tuesday, explicitly instructing recipients not to respond to the message or call the provided number. Scott Reif, spokesperson for the NYS Office of Information Technology Services, confirmed to Newsweek that the message was sent “in error” and that the third-party vendor responsible for the state’s SMS service is currently investigating how this security breach occurred. This incident highlights the increasing vulnerability of even official government communication channels to potential phishing attempts.

The timing of this incident is particularly troubling given recent statistics showing that nearly 75 percent of Americans have already experienced online spam or phishing attacks, according to the Pew Research Center. Phishing—the deceptive practice of soliciting personal information like passwords or bank details through misleading communications—continues to rise at an alarming rate. Consumer Reports’ Cyber Readiness Report indicates that spam texts increased by a staggering 50 percent between 2024 and 2025 alone. The New York incident is especially concerning because it exploited an official, trusted communication channel that residents rely on for legitimate updates about weather, tax filings, and other important government information. Reports on social media suggest this wasn’t an isolated case, with similar spam messages apparently being sent through other organizations’ communication systems during the same week.

“We are aware of a text message sent in error to some members of the public. Do not reply to the text message or call the phone number. This text message was not sent by New York State, and an investigation is ongoing by the vendor,” Reif told Newsweek, emphasizing the seriousness with which state authorities are treating the incident. The New York State Office of Information Technology Services website already contains general cybersecurity guidance that now seems particularly relevant: “Be cautious about all communications you receive, including those that claim to be from ‘trusted entities.’ Be careful when clicking any links contained within those messages. If in doubt, do not click.” The fact that this incident occurred through an official government channel, however, complicates the standard advice about scrutinizing messages from unknown sources.

The Federal Trade Commission (FTC) provides helpful guidelines for identifying potential phishing attempts, though the New York incident demonstrates how sophisticated these attempts have become. Classic signs of phishing include generic greetings, claims about accounts being on hold due to billing problems, or invitations to click links to update payment details. “While real companies might communicate with you by email, legitimate companies won’t email or text with a link to update your payment information,” the FTC website states. “Phishing emails can often have real consequences for people who give scammers their information, including identity theft. And they might harm the reputation of the companies they’re spoofing.” The New York text message contained several of these red flags, including requesting a response about a financial transaction and providing a callback number—classic phishing tactics that aim to create urgency and prompt immediate action.

This incident serves as a stark reminder of how difficult it has become for average citizens to distinguish between legitimate communications and sophisticated scams. When even official government alert systems can be compromised or manipulated into sending deceptive messages, consumers face an increasingly complex security landscape. The reference to “B of A” (presumably Bank of America) in a state government text message should have immediately raised suspicions, but many recipients might not have questioned receiving financial alerts through this channel, especially if they bank with that institution. The specific amount mentioned ($732.42) also employs a common tactic used by scammers—providing a precise, seemingly legitimate figure to create a sense of authenticity and urgency about a potentially fraudulent transaction.

Looking forward, cybersecurity experts recommend several protective measures that individuals should take, regardless of where messages originate. The FTC advises using security software, regularly updating devices, implementing multi-factor authentication on accounts, and backing up data. Additionally, the New York incident reminds us to maintain healthy skepticism about any message requesting personal information or immediate action, even when it appears to come from trusted sources. As investigation into the New York text alert system continues, this case highlights the need for enhanced security protocols for government communication systems and better public education about evolving phishing tactics. For those who received the deceptive message, the best course of action remains clear: do not respond, do not call the number provided, and report such incidents to appropriate authorities who can investigate potential security breaches and protect other consumers from falling victim to similar schemes.